Remote PowerShell Session (PS Module)
Detects remote PowerShell sessions
Sigma rule (View on GitHub)
1title: Remote PowerShell Session (PS Module)
2id: 96b9f619-aa91-478f-bacb-c3e50f8df575
3status: test
4description: Detects remote PowerShell sessions
5references:
6 - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
7author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
8date: 2019/08/10
9modified: 2023/01/20
10tags:
11 - attack.execution
12 - attack.t1059.001
13 - attack.lateral_movement
14 - attack.t1021.006
15logsource:
16 product: windows
17 category: ps_module
18 definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
19detection:
20 selection:
21 ContextInfo|contains|all:
22 - ' = ServerRemoteHost ' # HostName: 'ServerRemoteHost' french : Nom d’hôte =
23 - 'wsmprovhost.exe' # HostApplication|contains: 'wsmprovhost.exe' french Application hôte =
24 filter_pwsh_archive:
25 ContextInfo|contains: '\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1'
26 condition: selection and not 1 of filter_*
27falsepositives:
28 - Legitimate use remote PowerShell sessions
29level: high
References
-
Offensive Tradecraft# Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. In addition, it can be used to execute code remotely v...
Read More
Related rules
- Remote PowerShell Session (PS Classic)
- Remote LSASS Process Access Through Windows Remote Management
- Suspicious Non PowerShell WSMAN COM Provider
- OMIGOD HTTP No Authentication RCE
- Suspicious WSMAN Provider Image Loads